Description

Security researcher Karthikeyan Bhargavan of Prosecco at
INRIA reported Content Security Policy (CSP) 1.0 implementation errors. CSP
violation reports generated by Firefox and sent to the "report-uri" location
include sensitive data within the "blocked-uri" parameter. These include
fragment components and query strings even if the "blocked-uri" parameter has a
different origin than the protected resource. This can be used to retrieve a
user's OAuth 2.0 access tokens and OpenID credentials by malicious sites.